11.0 Using Migration Commands for Transfer ID

Before running Transfer ID, ensure you have met all the prerequisites and prepared your servers as described in Section 4.2, Preparing the Source Server for Migration and Section 4.3, Preparing the Target Server for Migration.

Before you begin, remember the following considerations:

To perform Transfer ID using CLI:

Parameters

Value

Description

sourceipaddress

172.16.100.101

The server whose identity is to be transferred to the target server.

projectpath

/var/opt/novell/migration/NewProj0

The path of the project created to perform Transfer ID.

 

 

 

  1. eDirectory Precheck: Executes the prerequisites of the Transfer ID process.

    1. Use the following command to perform an eDirectory precheck:

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      When prompted, enter the username and password of the source server.

      This step can be executed multiple times to verify the health of the eDirectory tree. Execution of this step does not modify the source server or the target server.

    2. Check the availability of the hostname and IP address on the source server. The hostname or IP address can be resolved using the DNS server or using the /etc/hosts file on the source server (OES Linux) or SYS:etc\hosts file on the NetWare server.

    3. The nam.conf file on the target server includes LUM settings that will be required later while performing the repair steps for migration. Create a backup of /etc/nam.conf file on the target server by executing the following command:

      cp /etc/nam.conf <Project_path>/nam.conf.target

      For example, cp /etc/nam.conf /var/opt/novell/migration/NewProj0/nam.conf.target

    4. If the source server is OES 1, OES 2 or OES 11, create a backup of the /etc/nam.conf file of the source server.

    5. Retrieve and store the list of LUM enabled groups:

      (Conditional) If the source server is NetWare, enter

      ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <target server short hostname> -a <admindn> -S <ldap-server-ip> --ldap-port <port number> -p <password> -l

      The above commands displays the list of groups that are LUM-enabled on the target server. These same groups must be LUM-enabled on completion of Transfer ID.

    6. If the source server is OES 1, OES 2 or OES 11, ensure that ssh keys to avoid multiple prompts for password on execution of this step.

      To copy the ssh keys:

      1. Enable ssh on the source server and target server.

      2. Enter the command on the target server, # ssh-keygen -t rsa

        On executing the above command, you are prompted for the following:

        1. Enter file in which to save the key (/root/.ssh/id_rsa), press Enter.

          The ssh keys are stored in the default location.

        2. Enter passphrase (empty for no passphrase), press Enter.

          We recommend you not to include passphrase.

      3. Copy the key value i.e. the output of the above command to the source server.

        # scp ~/.ssh/id_rsa.pub root@<source-server>:/tmp

      4. Log in to the source server using ssh and add the key value to the list of authenticated keys.

        cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys

    7. If the source server is OES 1, OES 2 or OES 11, ensure to copy the .nss.dat file to the target server. This file stores the nss user context information of the source server and is required when we repair the NSS admin object.

      Enter the command on the target server,

      scp <Source-IP>:/var/opt/novell/nss/.nss.dat /tmp/

  2. Preparation: Removes the eDirectory from the target server. The LUM association with the groups and users is no longer available because the Unix Workstation object is also removed.

    1. To remove the Unix Workstation object on the target server, enter

      /usr/bin/namconfig rm -a <admindn>

      In the above command for SSL connection, you must use -l option and specify default port number as 636.

    2. To remove eDirectory from the target server, enter

      /opt/novell/eDirectory/bin/ndsconfig rm -c -a <admindn dot format> -w ADM_PASSWD --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      Use dot format when passing values for -a option. For example, -a admin.novell

    3. To verify the health of the eDirectory and to ensure that both the source server and target server are time-synchronized, enter

      migedir -s <sourceipaddress> -u -A <projectpath> -i -t

      For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -t

      NOTE:When prompted, enter the username and password of the source server.

  3. DIB Copy: Creates a backup of the eDirectory DIB (Directory Information Base) of the source server on to the target server. This step locks the DIB of the source server and further operations are not permitted on the source server.

    migedir -s <source-server-ip> - u -A <logfile directory> -i -B

    For example, /opt/novell/migration/sbin/migedir -s 172.16.100.101 -u -A /var/opt/novell/migration/NewProj0 -i -B

    On running the above command, you are prompted for the username and password of the source server. Enter the admin credentials when prompted.

    IMPORTANT:This command fails to execute if the replica ring is not in sync, or the time is not synchronized between all the servers in the replica ring.

    NOTE:If you need to perform any operations on the source server, you must unlock the DIB. To unlock the DIB on the NetWare server, reload the DS.nlm file and on the OES 1 Linux server, OES 2 Linux or OES 11 server, restart ndsd daemon.

  4. Shutdown Source: You need to shutdown the source server.

  5. DIB Restore: Restores the eDirectory database that was backed up from the source server in Step 3 on the target server. This includes the NICI keys and the DIB identity.

    IMPORTANT:Ensure to backup the target eDirectory database and NICI keys, see Section 11.1, Backup eDirectory Database and NICI Keys for more information.

    1. At the command prompt of the target server, enter

      migedir -R

      On running the above command, you will be prompted for the administrator credentials for the source server.

      WARNING:If the backup in Step 3 was not successful, the DIB Restore step fails. A failure at this point may cause the eDirectory service on the target server to be unusable.

  6. IP Address Change: The IP address of the target server and its services is changed to the source server IP address.

    The scripts to be executed in this step are located in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange and /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folders.

    • To change the IP address of the server in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange folder, enter

      ruby server-yast-ipchange.rb --old-ip <target_server IP> --ip <source_serverIP>

      For example, ruby server-yast-ipchange.rb --old-ip 172.16.200.201 --ip 172.16.100.101

    • The ipchange folder contains a list of scripts that needs to be executed for changing the IP address. An example to change the IP address of the services on the target server by using the iprintipchange.sh script in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange folder, enter

      <server-script> <target_server IP> <source_server IP> <source_server IP> <source_server IP>

      For example, iprintipchange.sh 172.16.200.201 172.16.100.101 172.16.100.101 172.16.100.101

      You also need to run the remaining scripts for other services in the same manner.

      WARNING:Failure of the script to change the IP address or terminating the operation manually, may cause the system to hang. If a service-specific IP address script fails to change the IP address, replace the <service>.conf file with <service>.orig file. For example, if eDirectory authentication fails on completion of IP Change step, do the following:

      cp /etc/opt/novell/eDirectory/conf/nds.conf.orig /etc/opt/novell/eDirectory/conf/nds.conf

    • To change the IP address in the configuration files of each service on the target server, enter the following in the /opt/novell/migration/sbin/serveridswap/scripts/ipchange/nonplugin folder:

      ipchange.sh <oldip> <newip> <oldremoteip> <newremoteip> yes

      Here, oldip is the IP address of the existing server and newip is the new IP address assigned to the server. The oldremoteip and newremoteip is the IP address of the Master Replica server. If the Master Replica server IP address is not changed then, oldremoteip and newremoteip can be same.

      Example 11-1 For example, ipchange.sh 172.16.200.201 172.16.100.101 172.16.200.200 172.16.200.200 yes

      If you want to execute any additional scripts copy them to the /ipchange/nonplugin folder in the same pattern as the existing scripts.

  7. Host Name Change: Host names of the services are changed to the source server hostname.

    1. To change the hostname of the server and the services go to /opt/novell/migration/sbin/serveridswap/scripts/hostchange folder, enter

      <hostname-script> <targethostname> <sourcehostname>

      For example, server-hostname-change.sh aus-market201.marketing.com aus-market101.marketing.com

      If you want to execute any additional scripts copy them to the nonplugin folder in the same pattern as the existing scripts.

      For example, ./iprinthostchange.sh oldhostname newhostname oldmasterhostname newmasterhostname

      where oldhostname is the old server host name and newhostname is the new server host name. The master hostname is the hostname of the master server in the eDirectory tree. The oldmasterhostname and newmasterhostname can be the same if the master hostname is not changed on performing Transfer ID migration.

      WARNING:Failure of the script to change the hostname or terminating the operation manually, may cause the system to hang. If a service specific hostname script fails to change the hostname, replace the <service>.conf with <service>.orig file. For example, if iPrint authentication fails on completion of Hostname Change step, do the following:

      cp /etc/opt/novell/iprint/httpd/conf/iprint_ssl.orig /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf

    2. On the console, enter

      hostname <sourceserver_name>

      The above command changes the hostname of the server, when you relogin.

  8. Reinitialize Server: Reinitialize the target server with the IP address and hostname of the source server. In this step, eDirectory is also restarted.

    • To re initialize the server, enter

      /etc/init.d/network restart

    • To restart eDirectory, enter

      /etc/init.d/ndsd restart for restarting nds

    Next, you need to repair eDirectory, certificates for the server, LUM, and other OES services on the target server.

  9. Repair: Performs repair of eDirectory, certificates, LUM, and services on the target server. The ndsrepair command is used to perform eDirectory repair. The service-specific repairs run only for services that were migrated using the current project.

    1. eDirectory: Performs repair of eDirectory.

      To repair eDirectory, enter

      /opt/novell/eDirectory/bin/ndsrepair -U

      To restart eDirectory, enter

      /etc/init.d/ndsd restart

      Ensure to fix all errors before proceeding with the next step.

    2. Repair Certificates: To create the SAS object, enter

      /opt/novell/eDirectory/bin/ndsconfig add -m sas -a <admin dn> --config-file /etc/opt/novell/eDirectory/conf/nds.conf

      1. To regenerate the certificate on the target server, enter

        /opt/novell/oes-install/util/getSSCert -a <new_ip_address> -t <treename> -u <admindn dot format> - x <password>

        For example, /opt/novell/oes-install/util/getSSCert -a 172.16.100.101 -t TESTTREE -u cn=admin.o=novell -x novell

        The regenerated SSCert.der certificate is stored at /etc/opt/novell/certs location.

      2. To convert the certificate to the pem format, enter

        openssl x509 -inform der -in /etc/opt/novell/certs/SSCert.der -outform pem -out /etc/opt/novell/certs/SSCert.pem

      3. To verify the health of eDirectory, enter

        ndscheck -h <new_ip_address> -a <admindn dot format> -w <adminpass> -F <Project_path>

        For example, ndscheck -h 172.16.100.101 -a cn=admin.o=novell -w novell -F /var/opt/novell/migration/Newproject1/ndscheck.log

        You must resolve all errors before proceeding to the next step. It is recommended to backup the name.conf file before proceeding with the next step.

      4. (Conditional) To remove the existing nam.conf, enter

        rm /etc/nam.conf

    3. LUM: Creates or modifies the existing Unix Workstation object:

      • If the source server is NetWare, a new Unix Workstation object is created. Enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admindn comma format> -p <admin password> -S <ldap-server-ip> --ldap-port <port number> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.c.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        NOTE:If the value of the preferred-server parameter is the same as the IP address of the target server, then the value of the ldap-server-ip must be the same as the IP address of either the source server or the appropriate LDAP server.

      • If the source server is OES 1 Linux, OES 2 Linux or OES 11, the Unix workstation object is retained. To modify the Unix workstation object, enter the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a <admindn comma format> -p <admin password> -S <ldap-server-ip> --ldap-port <port number> -u <Unix_config_object-dn>

        where Unix_config_object-dn is the value of the base-name parameter in the nam.conf file. A backup of the file was created in Step 1.d.

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        For example, ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-reconf.rb -a cn=admin,o=novell -p novell -S 172.16.200.201 --ldap-port 636 -u "o=novell"

      1. To copy the certificate for LUM operations, enter

        cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.<new_ip_address>.der

        For example, cp /etc/opt/novell/certs/SSCert.der /var/lib/novell-lum/.172.16.100.101.der

      2. (Conditional) If the source server is NetWare, run the command to modify the users and groups listed in Step 1.e:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-grpmod.rb -H <source short hostname> -a <admin dn> -S <ldap-server-ip> --ldap-port <port number> -p <password> --grp <group FDN> -l <LUM enabled user and groups> [--check]

        ldap-server-ip is the value of the preferred-server parameter in the nam.conf.target file.

        Parameters

        Description

        -H

        Specify the hostname of the source server

        -a

        Specify the administrator’s name in LDAP format

        -S

        Specify the IP address of the preferred LDAP eDirectory server.

        --ldap-port

        Specify the port for LDAP server to listen on.

        -p

        Specify the administrator’s password.

        --grp

        Specify the group to be modified.

        -l

        Specify the list of LUM enabled user and groups in fully distinguished format.

        --check

        Verify LUM enabled users and groups

        When prompted, enter the password for the administrator.

      3. (Conditional) If the source server is OES 1 Linux, OES 2 Linux or OES 11, modify the users and groups by entering the following command:

        ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H <new_server short hostname> -a <admindn_comma_format> -p <password> -S <ldap-server-ip> --ldap-port <port number>

        For example, ruby /opt/novell/migration/sbin/serveridswap/scripts/repair/nam-fix.rb -H mark-nov101 -a cn=admin,o=novell -p novell -S 172.16.100.101 --ldap-port 636

      4. Refresh LUM Cache, run /usr/bin/namconfig cache_refresh to rebuild LUM cache.

      5. (Conditional) If the source server is OES linux server, enter

        chown -R wwwrun:www /var/opt/novell/nici/30

        You must change the ownership, so that you can login to iManager post-Transfer ID.

    4. To repair pool and volume objects, enter

      /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a <admindn_comma_format> -p <password> -f <project_path>/fs

      For example, /opt/novell/migration/sbin/serveridswap/scripts/repair/volrepair.rb -a cn=admin,o=novell -p novell -f /var/opt/novell/migration/NewProj1/fs

    5. Services: Execute the repair scripts for the services that were migrated before performing Transfer ID.

      • To repair iPrint service, enter

        /opt/novell/migration/sbin/serveridswap/scripts/repair/iprintrepair.sh -s <new IP> -u <admindn comma format> -T <source type {-L|-N}> -p <ssl port> -S

        For example, /opt/novell...iprintrepair.sh -s 172.16.100.101 - u cn=admin,o=novell -T -L -p 636 -S

        Specify -S option only when LDAP server is configured for SSL.

      • To repair CIFS service, enter

        sh /opt/novell/migration/sbin/migcifs.sh -s <new IP> -p <ssl port> -a <admindn_ldap_format> {-f 1 <if ssl> | -f 0 <non-ssl>} -t <tree name> -d <target server IP> -q <port> -b <admin name> {-g 1 <if ssl> | -g 0 <non-ssl>} -m <project_path>/cifs/cifsSourceShares.tmp -S 3 -r

    6. Others: Execute the repair scripts for the services that are not included in the plug-ins of the Migration Tool.

      • NSS Admin Object: To repair the NSS admin object, execute the following on the target server depending on the source server (NetWare or OES):

        /opt/novell/migration/sbin/serveridswap/scripts/repair/nss-adminrepair.sh -a <admindn dot format> -p <admin password> -s <source server [OES/NW]> -o <nssadmin object name with server context>

        where -a, -p, -s are mandatory parameters. If the source server is NetWare (NW), the -o option is required to create a new NSS admin object.

        For example: nss-adminrepair.sh -a admin.sales.novell -p test -s NW -o nssAdminUser.sales.novell

      • Common Proxy:

        • If the source is Netware, to repair common proxy on the target OES 11 SP2 server, execute the following:

          /opt/novell/proxymgmt/bin/mignwproxy.sh -d <LDAP Admin FDN> -w <LDAP Admin Password> -i <LDAP-Server-IP-Address> -p <LDAP Secure Port>

        • If the source is Linux, to perform common proxy migration on the target OES 11 SP2 server, see Section 32.2.1, Services that are Using Common Proxy.

      • NetStorage: To repair NetStorage, enter the following commands:

        /opt/novell/xtier/bin/xsrvcfg -D

        /opt/novell/xtier/bin/xsrvcfg -d <ipaddress> -c <context>

        where context is the value of the attribute CONFIG_XTIER_USERS_CONTEXT in /etc/sysconfig/novell/netstore11 file.

        /usr/sbin/rcnovell-xregd restart

        /usr/sbin/rcapache2 restart

  10. Restart Server: Restart the target server for the changes to take effect.

    On successful completion of the Transfer ID migration, the target server functions with the source server’s eDirectory identity.